前言:
眼前咱们对“nginxwithlm”大概比较关注,小伙伴们都想要剖析一些“nginxwithlm”的相关内容。那么小编也在网络上汇集了一些对于“nginxwithlm””的相关文章,希望你们能喜欢,朋友们一起来学习一下吧!1. ingress-nginx 安装
我们希望通过ingress代理的方式访问dashboard。
安装ingress-nginx
# 获取文件wget 备份[root@master1 ~]# cp deploy.yaml{,.ori}# 修改文件,以DaemonSet运行,修改网络模式为hostNetwork,增加nodeSelector,将ingress部署到master服务器上,后续文档专门会介绍污点和容忍的方式调度。[root@master1 ~]# diff deploy.yaml deploy.yaml.ori < kind: DaemonSet---> kind: Deployment321d320< hostNetwork: true324c323< image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0---> image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a398d396< ingress-controller: 'true'# 部分配置,配置太多就不粘出来了,我们重点看下deployment部分# Source: ingress-nginx/templates/controller-deployment.yamlapiVersion: apps/v1kind: DaemonSetmetadata: labels: helm.sh/chart: ingress-nginx-3.33.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.47.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginxspec: selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller revisionHistoryLimit: 10 minReadySeconds: 0 template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller spec: dnsPolicy: ClusterFirst hostNetwork: true containers: - name: controller image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown args: - /nginx-ingress-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE runAsUser: 101 allowPrivilegeEscalation: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP - name: webhook containerPort: 8443 protocol: TCP volumeMounts: - name: webhook-cert mountPath: /usr/local/certificates/ readOnly: true resources: requests: cpu: 100m memory: 90Mi nodeSelector: kubernetes.io/os: linux ingress-controller: 'true' serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission---# 标记节点调度到指定节点kubectl label node master1.sysit.cn ingress-controller="true"kubectl label node master2.sysit.cn ingress-controller="true"kubectl label node master3.sysit.cn ingress-controller="true"# 执行配置文件kubectl apply -f deploy.yaml检查
[root@master1 ~]# kubectl get pods -n ingress-nginx -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESingress-nginx-admission-create-kpgmb 0/1 Completed 0 7m54s 10.244.197.132 node1.sysit.cn <none> <none>ingress-nginx-admission-patch-qtp5t 0/1 Completed 0 7m54s 10.244.96.129 master3.sysit.cn <none> <none>ingress-nginx-controller-2mgp5 1/1 Running 0 2m23s 192.168.112.141 master1.sysit.cn <none> <none>ingress-nginx-controller-mwczj 1/1 Running 1 2m23s 192.168.112.142 master2.sysit.cn <none> <none>ingress-nginx-controller-xgldp 1/1 Running 0 2m23s 192.168.112.143 master3.sysit.cn <none> <none>[root@master1 ~]# kubectl get daemonset -n ingress-nginxNAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGEingress-nginx-controller 3 3 3 3 3 ingress-controller=true,kubernetes.io/os=linux 8m29s2. 安装dashboard2.1 安装dashboard
kubectl apply -f通过proxy访问
# 执行如下命令,代理出一个只能本地访问的地址。kubectl proxy
可供访问的地址如下:
通过apiserver访问还可以通过apiserver访问,访问地址:
;master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/# 如我通过master1访问,则访问地址如下:通过nginx-ingress代理访问(本文推荐)2.2 创建ssl证书
多种方式可以创建ssl证书,我们这里选取2种方式。
openssl工具生成证书
cat >openssl.cnf<<EOF[req]distinguished_name = req_distinguished_nameprompt = yes[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_value = CNstateOrProvinceName = State or Province Name (full name)stateOrProvinceName_value = SichuanlocalityName = Locality Name (eg, city)localityName_value = ChengduorganizationName = Organization Name (eg, company)organizationName_value = SysitorganizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_value = R & D DepartmentcommonName = Common Name (eg, your name or your server\'s hostname)commonName_value = dashboard.sysit.cnemailAddress = Email AddressemailAddress_value = admin@sysit.cnEOFopenssl req -newkey rsa:4096 -nodes -config openssl.cnf -days 3650 -x509 -out dashboard.crt -keyout dashboard.key
上面dashboard.crt和dashboard.key就是我们需要的文件。
cfssl工具生成证书
cat > ca-config.json << EOF{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "dashboard": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }}EOFcat >ca-csr.json<<EOF{ "CN": "dashboard", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Chengdu", "ST": "Chengdu" } ]}EOFcfssl gencert --initca ca-csr.json |cfssljson -bare ca - cat >dashbaord-csr.json<<EOF{ "CN": "*.sysit.cn", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Chengdu", "ST": "Chengdu" } ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=dashboard dashbaord-csr.json |cfssljson -bare dashboard
生成的dashboard.pem和dashboard-key.pem就是我们需要的文件
导入kubernetes
kubectl create -n kube-system secret tls dashboard-ssl-name --cert dashboard.pem --key dashboard-key.pem # 输出:secret/dashboard-ssl-name created2.3 ingress-dashboard配置
cat > ingress-dashboard.yaml<<EOFapiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: dashboard-ingress namespace: kubernetes-dashboard annotations: nginx.ingress.kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"spec: tls: - hosts: - dashboard.sysit.cn secretName: dashboard-ssl-name rules: - host: dashboard.sysit.cn http: paths: - path: / pathType: Prefix backend: service: name: kubernetes-dashboard port: number: 443EOFkubectl apply -f ingress-dashboard.yaml
访问界面如下:
登录
创建管理用户
kubectl create serviceaccount admin-user -n kubernetes-dashboard
绑定用户为集群管理用户
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user
token登录
# 直接获取token[root@master1 ~]# kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"# 得到eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw
使用获取的token进行页面访问
kubeconfig登录
# 以通过如下操只获取上一个步骤生成的tokenDASHBOARD_LOGIN_TOKEN=$(kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}")echo ${DASHBOARD_LOGIN_TOKEN}eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw#创建使用 token 的 KubeConfig 文件kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server= \ --kubeconfig=dashboard-admin.kubeconfig# 设置客户端认证参数,使用上面创建的 Tokenkubectl config set-credentials admin-user \ --token=${DASHBOARD_LOGIN_TOKEN} \ --kubeconfig=dashboard-admin.kubeconfig# 设置上下文参数kubectl config set-context default \ --cluster=kubernetes \ --user=admin-user \ --kubeconfig=dashboard-admin.kubeconfig# 设置默认上下文kubectl config use-context default --kubeconfig=dashboard-admin.kubeconfig
登录界面如下:
版权声明:
本站文章均来自互联网搜集,如有侵犯您的权益,请联系我们删除,谢谢。
标签: #nginxwithlm